diff --git a/dnaclab_linux/inventory.yml b/dnaclab_linux/inventory.yml index cec2744..f91be53 100644 --- a/dnaclab_linux/inventory.yml +++ b/dnaclab_linux/inventory.yml @@ -1,29 +1,25 @@ --- all: children: - services: + services_hosts: hosts: ubuntu.dnaclab.net: - developer: + staging.dnaclab.net: + developer_hosts: hosts: developer.dnaclab.net: + developer2.dnaclab.net: gitlab: hosts: gitlab.dnaclab.net: - ansibletower: + backup_hosts: hosts: - ansibletower.dnaclab.net: + backups.dnaclab.net: kubernetes: hosts: 10.221.0.130: 10.221.0.131: 10.221.0.132: - staging: - hosts: - 10.221.0.105: - developer2: - hosts: - developer2.dnaclab.net: kubernetes_dev: hosts: 172.16.1.130: diff --git a/dnaclab_linux/prestage_backup.yml b/dnaclab_linux/prestage_backup.yml new file mode 100644 index 0000000..eb6edbc --- /dev/null +++ b/dnaclab_linux/prestage_backup.yml @@ -0,0 +1,8 @@ +--- +- name: Prestage server(s) with the NCA Automation team users + hosts: backup_hosts + roles: + - ncafsa-backup + become: yes + vars_files: + - global_vars/main.yml \ No newline at end of file diff --git a/dnaclab_linux/prestage_users.yaml b/dnaclab_linux/prestage_users.yaml index 80e5f5d..236165d 100644 --- a/dnaclab_linux/prestage_users.yaml +++ b/dnaclab_linux/prestage_users.yaml @@ -1,6 +1,6 @@ --- - name: Prestage server(s) with the NCA Automation team users - hosts: ansibletower + hosts: backup_hosts roles: - ncafsa-users become: yes diff --git a/dnaclab_linux/roles/ncafsa-backup/tasks/main.yaml b/dnaclab_linux/roles/ncafsa-backup/tasks/main.yaml new file mode 100644 index 0000000..a23b909 --- /dev/null +++ b/dnaclab_linux/roles/ncafsa-backup/tasks/main.yaml @@ -0,0 +1,45 @@ +--- +- name: Create account for backup services + ansible.builtin.user: + name: "{{ item }}" + password: "{{ password }}" + shell: /bin/bash + loop: "{{ services }}" + +- name: Create backup directory tree + ansible.builtin.file: + path: "/backups/{{ item }}" + state: directory + owner: "{{ item }}" + group: "{{ item }}" + loop: "{{ services }}" + +- name: Install NFS, SFTP and TFTP services + ansible.builtin.apt: + name: "{{ item }}" + state: present + loop: + - nfs-kernel-server + - openssh-server + - tftpd-hpa + +- name: Configure SFTP for ISE backups + ansible.builtin.template: + src: sftp.conf.j2 + dest: /etc/ssh/sshd_config + vars: + user: "ise" + +- name: Fix permissions for SFTP folder + ansible.builtin.file: + path: "/backups/{{ user }}" + state: directory + owner: root + group: root + vars: + user: "ise" + +- name: Restart SSH service (allows SFTP changes to work) + ansible.builtin.service: + name: ssh + state: restarted \ No newline at end of file diff --git a/dnaclab_linux/roles/ncafsa-backup/templates/sftp.conf.j2 b/dnaclab_linux/roles/ncafsa-backup/templates/sftp.conf.j2 new file mode 100644 index 0000000..ba64370 --- /dev/null +++ b/dnaclab_linux/roles/ncafsa-backup/templates/sftp.conf.j2 @@ -0,0 +1,131 @@ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Include /etc/ssh/sshd_config.d/*.conf + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +KbdInteractiveAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +Match User {{ user }} + ForceCommand internal-sftp + PasswordAuthentication yes + ChrootDirectory /backups/{{ user }} + PermitTunnel no + AllowAgentForwarding no + AllowTcpForwarding no + X11Forwarding no \ No newline at end of file diff --git a/dnaclab_linux/roles/ncafsa-backup/vars/main.yaml b/dnaclab_linux/roles/ncafsa-backup/vars/main.yaml new file mode 100644 index 0000000..bc61a0f --- /dev/null +++ b/dnaclab_linux/roles/ncafsa-backup/vars/main.yaml @@ -0,0 +1,6 @@ +services: + - dnac + - ise + - tftp + - other +password: $6$rounds=656000$mysecretsalt$VvhQ/hNVWpgVuv9MXN0zFAGMLloWYezEPvgG/oyFsaTJxmiZWintigtbssQ8zRdH4CjkB6obYcAOASlw2yutl/ \ No newline at end of file diff --git a/dnaclab_linux/update.yml b/dnaclab_linux/update.yml index d9c5799..abc12cf 100644 --- a/dnaclab_linux/update.yml +++ b/dnaclab_linux/update.yml @@ -1,6 +1,6 @@ --- - name: Update and upgrade packages on Ubuntu VMs - hosts: kubernetes-dev + hosts: backup_hosts become: yes vars_files: - global_vars/main.yml diff --git a/ios_devices/device_audit.yml b/ios_devices/device_audit.yml index f4f764c..1a10d6f 100644 --- a/ios_devices/device_audit.yml +++ b/ios_devices/device_audit.yml @@ -3,7 +3,7 @@ ## for devices which feature VRFs or multi-instance capabilities. - name: Audit devices and print key information - hosts: baguleykit + hosts: evengkit gather_facts: false connection: network_cli roles: @@ -47,4 +47,4 @@ - name: Print device information debug: - var: runtime_information.stdout_lines[4] \ No newline at end of file + var: runtime_information.stdout_lines[4] diff --git a/ios_devices/inventory.yml b/ios_devices/inventory.yml index 0f9aeb0..66efe92 100644 --- a/ios_devices/inventory.yml +++ b/ios_devices/inventory.yml @@ -7,4 +7,5 @@ homekit: 192.168.1.60: evengkit: hosts: - 172.16.1.239: + 10.3.0.101: + 10.3.0.102: diff --git a/ios_devices/roles/common/vars/main.yml b/ios_devices/roles/common/vars/main.yml index 6fe80ab..55850c6 100644 --- a/ios_devices/roles/common/vars/main.yml +++ b/ios_devices/roles/common/vars/main.yml @@ -1,14 +1,14 @@ $ANSIBLE_VAULT;1.1;AES256 -36666363353431303563373132653732303830323865333734636561616465306661346338393766 -3462656233353031396533363133386439363133363563310a336263303535363666653838393835 -39303964323662653463633933336434396234653738343636373566636365363265333062656532 -3030383335306537320a616262613366303235643331616166643932306164636235393530636163 -33666163663931636363353831316564333931663763613130363766666363313534623166313631 -32636162646334343439623566353063373633306537313864613637373730393561626635323536 -64393730386432356337373637343834313634386430643137343463306135653939303931333666 -61653266663230323437343433626330303433656335363963356339356134653933646264383439 -61613730353761316332633961343939653863326639343164623261303939396561333262326337 -35333437653136653434393265333165666365353765666662396434303933623564346232653331 -32386339646266343764646462653336356261376235626263653430636436306235623035396366 -32363130613536353835613430643865346630366434353032366565353535313536653463313134 -3532 +35393738393862623261626334653837633235366266636332383535623733343636613830303634 +3464643164383564393538643832656133373637306563660a323862313736353430623532306336 +36363165646565643038663938633131343637613238646562323865633065653438656630626339 +3332633937373237380a623238623137396637623137373765333936376535313731326139633266 +61303937626264383735383361653532396338626332383362306634616136303030353963653232 +39313837346634663431323139666632393733643663313131306535656161383334383233373031 +39386533636163666531633733303564393937323664633232626565623931326332386436366239 +63353164363864613366663161326434366638633535643565346462346136343039633531363766 +61323131626361386363613338656362353436313530383562373439663034333933323330386638 +36303434366238373335633165343737373632643838663264376536653837633331643738323039 +66376636666462616137633762376230333639346631336231313336373330393439356539373762 +38613038636366613634396263303238666535386138626363373065353136323163393534663830 +3063